Comments in display names are incorrectly handled in net/mail
CVE-2024-24784

7.5HIGH

Key Information:

Vendor: Go Standard Library
Status: Net/mail
Vendor: CVE Published:; 5 March 2024

What is CVE-2024-24784?

The ParseAddressList function in the Go programming language incorrectly processes comments within display names, deviating from expected behavior in standard address parsers. This misalignment can create inconsistencies in trust decisions made by applications leveraging different parsing implementations, potentially leading to security risks and unexpected behavior across systems.

Affected Version(s)

net/mail 0 < 1.21.8

net/mail 1.22.0-0 < 1.22.1

References

https://go.dev/issue/65083

https://go.dev/cl/555596

https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 5, 2024
Vulnerability Reserved
Jan 30, 2024

Credit

Juho Nurminen of Mattermost

Slonser (https://github.com/Slonser)

Go Standard Library

What is CVE-2024-24784?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit